Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was detected in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/studentlogin. Performing a manipulation of the argument sid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
AnalysisAI
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the sid parameter in the /OnlineClassroom/studentlogin endpoint, enabling data exfiltration and modification with low complexity exploitation. Public exploit code is available, increasing real-world risk despite the moderate CVSS score of 6.3.
Technical ContextAI
The vulnerability exists in the student login functionality of CodeAstro Online Classroom, specifically in the /OnlineClassroom/studentlogin file where user-supplied input (sid parameter) is directly incorporated into SQL queries without proper parameterization or validation. This is a classic CWE-89 SQL injection flaw where an attacker can manipulate database queries to extract sensitive information, modify records, or potentially escalate privileges depending on database permissions and configuration. The attack vector is network-based, suggesting the login endpoint is accessible over HTTP/HTTPS without network-level restrictions.
RemediationAI
Apply a security patch from CodeAstro that implements parameterized queries (prepared statements) for the sid parameter in the /OnlineClassroom/studentlogin endpoint. Contact CodeAstro directly at https://codeastro.com/ for the latest patched version, as specific version numbers are not provided in available advisories. As an interim compensating control, restrict access to the /OnlineClassroom/studentlogin endpoint via Web Application Firewall (WAF) rules that validate sid format strictly (e.g., allow only alphanumeric characters matching expected student ID format) and block payloads containing SQL metacharacters (quotes, semicolons, comments). This reduces exploitability without patching but may block legitimate legitimate logins if student IDs contain special characters - coordinate with CodeAstro to confirm expected sid format before deployment. Additionally, enable SQL query logging and monitoring to detect active exploitation attempts.
More in Online Classroom
View allSQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fid parameter in
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries v
A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Execut
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26927